I am always puzzled when a company reports a breach and says "X account details were compromised, and Y passwords were obtained..." when Y is a smaller percentage of X.
I would assume that there is always a 1 to 1 relationship of user account details to passwords, or that the passwords are stored within the user table in the DB, so at best, X=Y at all times?
I can understand if it is a current breach and the DBAs managed to stop a transfer of data mid query, but in a 4 year old database (in this case) where only hackers only have partial data for passwords, but full data for user accounts?
Disqus provides options for single-sign-on. So it's possible that some of the accounts breached didn't have a password associated with them, only OAuth tokens.
I would assume that there is always a 1 to 1 relationship of user account details to passwords, or that the passwords are stored within the user table in the DB, so at best, X=Y at all times?
I can understand if it is a current breach and the DBAs managed to stop a transfer of data mid query, but in a 4 year old database (in this case) where only hackers only have partial data for passwords, but full data for user accounts?